Reverse Engineering / Coding

dimanche 26 avril 2009

today we 'll learn how to break a very interesting crackme from Waganono. It shouldn't be too hard if you know how to break a Vigenere cipher.

In the first part, you have to guess the key's length. To do that, i did the Kasiski test's : you can find some infos about this test here. I found that the key was 8 chars long.

Then, i did a frequence analysis (For that, I coded a home made tool) The author said that the text is french. We all know that the most popular characters in french are " " and "e". So then it's easy to guess the key.

First character :72 52 f=0.227074 22.71%37 27 f=0.117904 11.79%

So the first char is 72h XOR 20h = 52h = 'R'

Second character:65 62 f=0.270742 27.07%20 21 f=0.091703 9.17%

So the second character is 65h XOR 20h = 'E'

...

At the end, we have the key which is an anagramm for reverser : RESREVER.

jeudi 16 avril 2009

I'm back with a source in order to solve a very interesting crackme by our dear Beatrix.

A guy named jE! (man you are crazy) solved it manually on crackmes.de. Here's a mathematical solution. I used a tree in order to modelize the maze. In order to get the links between the node (each node is a int3 SEH handler), i used the disasm engine BeaEngine, an usefull lib .... I handcoded the tree's modelization in C. No lib is used here.

In fact, in the crackme, there is several handlers (about one thousand) for the int3 exception. Each handler has 4 ways to modify the eip , so we can take at maximum 4 different paths (so each node can have till 4 childs) . You have to build a keyfile in order to find the right path in the maze and to get the messagebox "Registered". You know where the maze begins (at the first handler) and where the maze ends (at the correct messagebox) . So you have to explore the tree and find a correct path between theses two points. Then, you can build a valid keyfile which is able to follow the right path.

My program gets the first solution. With some modifications, you would get several solutions and choose the shortest keyfile for instance.

I won't explain more how I solved it, you may have a look to the crackme and to the solver(including source in C) here . In order tu use the solver, you have to unzip the file because it uses "oct.exe" which is the crackme to disasm. It will generate a valid keyfile.

Thanks to Beatrix for this very interesting crackme and Baboon for hosting the files.